Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mars Global Surveyor Died from Single Bad Command

Posted by Zonk on from the damn-space-bugs dept.

wattsup writes "The LA Times reports that a single wrong command sent to the wrong computer address caused a cascade of events that led to the loss of the Mars Global Surveyor spacecraft last November. The command was an orientation instruction for the spacecraft's main communications antenna. The mistake caused a problem with the positioning of the solar power panels, which in turned caused one of the batteries to overheat, shutting down the solar power system and draining the batteries some 12 hours later. 'The review panel found the management team followed existing procedures in dealing with the problem, but those procedures were inadequate to catch the errors that occurred. The review also said the spacecraft's onboard fault-protection system failed to respond correctly to the errors. Instead of protecting the spacecraft, the programmed response made it worse.'"

40 of 141 comments (clear)

  1. It wasn't a single wrong command by 91degrees · · Score: 4, Informative
    It was a whole series of errors. Either that or every accident ever is caused by a single minor fault. Here's what the article says

    The review panel found that the management team followed procedures in dealing with the problem but that the procedures "were inadequate to catch the errors that occurred."

    The review also said the spacecraft's onboard fault protection system failed to respond to the errors. Instead of protecting the spacecraft, the programmed response made it worse.
    So, if the procedures were better, this wouldn't have happened. If the fault protection system was better, this wouldn't have happened. If the designers had predicted this exact problem might occur this wouldn't have happened.

    Of course, these things do happen. Al we can do is find out why, and stop it from happening again.
    1. Re:It wasn't a single wrong command by roaddemon · · Score: 5, Funny

      "Either that or every accident ever is caused by a single minor fault."

      I agree. Otherwise WWII was caused by Hitler's mom having one too many drinks the night she met his dad.

    2. Re:It wasn't a single wrong command by Darth_brooks · · Score: 3, Funny

      I agree. Otherwise WWII was caused by Hitler's mom having one too many drinks the night she met his dad.

      How can you come up with such a woefully shortsighted and limited in scope analysis? Honestly. There are at least two theories to work under for the cause of World War II.

      WWII was caused by a series of reactions several billion years ago between amino acids. Or it was started 5000 years ago when God created Eve for Adam. Everything else in between is just a smattering of minor details.

      --
      There are some people that if they don't know, you can't tell 'em.
    3. Re:It wasn't a single wrong command by MichaelSmith · · Score: 4, Interesting

      So, if the procedures were better, this wouldn't have happened. If the fault protection system was better, this wouldn't have happened. If the designers had predicted this exact problem might occur this wouldn't have happened.

      TFA:

      over the years budgets and staff had been cut "in an effort to operate the mission as economically as possible."

      MGS was well into bonus time in the sense that the original goals had been reached. The project was running on a reduced budget and this made a mistake inevitable. I can't help thinking that at a higher level this was considered to be a good thing. When you have new missions to run and a fixed budget to run them on you want your old missions to stop so that you can draw a line under it and go on to the next thing.

      The last thing management want is to have to decide to shut the spacecraft down because they don't have the budget for operations on the ground. Reducing the budget is a way of inducing the shutdown.

      --
      http://michaelsmith.id.au
    4. Re:It wasn't a single wrong command by Jerry+Beasters · · Score: 3, Insightful

      Smart people make mistakes, deal with it.

    5. Re:It wasn't a single wrong command by DerekLyons · · Score: 2, Informative

      The last thing management want is to have to decide to shut the spacecraft down because they don't have the budget for operations on the ground.

      A nice theory, but one that fails to coincide with the facts. NASA routinely shuts down missions for lack of budget.
    6. Re:It wasn't a single wrong command by osu-neko · · Score: 2, Interesting

      Score: 5 Interesting for a really, really lame theory?

      There are many ways to end a mission. The one best for NASA is to close it, point to its budget, and wait for the cries of underfunding, using the closure of a perfectly good mission as evidence that the agency is truly underfunded based on its needs.

      The worst is for the mission to fail in some spectacular fashion, making people wonder if they should be giving these bozos any more money.

      So, you're telling me you think NASA would intentionally end a mission in the worst possible way for its future prospects of getting money when it had the option of doing in the way most likely to get it more money instead?

      That's kinda stupid, don't you think? Shouldn't a conspiracy theory at least have the conspirators doing something that benefits them rather than cutting their own throats?

      --
      "Convictions are more dangerous enemies of truth than lies."
  2. Emmentaler vs. Gruyere by DingerX · · Score: 4, Insightful

    One bad command started the chain, but it needed a series of system failures to kill it. In other words, a slight misalignment of the solar panels (or whatever it was) may have been a necessary cause, but not sufficient. The thing needed a safe-mode that wasn't safe, and battery logic that failed to consider environmental variables. All the conditions lined up.

    It's like saying that a mid-air collision occurred because two jetliners were assigned the same altitude and jetway in opposite directions at the same time. Yeah, but A) How they got that assignment is kinda complicated and B) any number of traffic control and collision avoidance systems have to fail too.

    1. Re:Emmentaler vs. Gruyere by GTMoogle · · Score: 2, Funny

      Oh, Gruyere, definitely. Emmentaler is fine, but certainly its popularity can be attributed merely to the region's inadequate defense of the name, allowing cheap knockoffs to proliferate.

      *cricket* *cricket*

      What?

    2. Re:Emmentaler vs. Gruyere by v1 · · Score: 2, Insightful

      In most complex problems where catastrophic failure occurs, the problem manifests as a result of multiple smaller failures that combine in an unfortunate way, or as a chain reaction. By nature, people will want to narrow down the problem so they can identify a "cause". This is sometimes not appropritate as we see here, where a collection of less critical failures lead to catastrophy, any of which having been avoided would have prevented disaster. It's a bit like team theory... after losing a game the coach does not go looking for the one player that lost them the game - it's a team effort and everyone is involved and bears some responsibility. Unless someone made a blatant and major mistake that was responsible for the vast majority of the fallout that resulted, you have to accept that no one was "at fault". In this case several people made minor mistakes that by themselves are minor, but combined in such a way proved fatal to the craft. It's not anyone's fault, these things happen. All you can do to prevent this from happening again is to tighten up procedures to try to lower the number of minor failures that will occur (and you must accept you will never get them all) and to institute more review/backstopping to make it more likely that not only minor problems will be identified and fixed, but also that the result of complex interrelated events is predicted and prepared for.

      --
      I work for the Department of Redundancy Department.
  3. That'll Teach 'Em by Anonymous Coward · · Score: 5, Funny

    That'll teach those NASA folks to stop just using "sudo" when a command doesn't work under regular user permissions...

    1. Re:That'll Teach 'Em by Tibor+the+Hun · · Score: 4, Funny

      You've just lost thousands of Windows folks...
      su..do...?

      --
      If you don't know what AltaVista is (was), get off my lawn.
    2. Re:That'll Teach 'Em by Anonymous Coward · · Score: 4, Funny

      ku!

    3. Re:That'll Teach 'Em by Spudtrooper · · Score: 4, Funny

      Mars Global Surveyor wants to commit seppuku: Cancel or Allow?

  4. Oblig. by TehBlahhh · · Score: 3, Funny

    It was the Tamil Tigers that hacked it, and inserted this insidious command! The threat of terrorists is everywhere! This would have been preveneted if we had kept up the war on terror.

  5. You nits by Bastard+of+Subhumani · · Score: 3, Insightful

    The mistake caused a problem with the positioning of the solar power panels
    What was it this time, degrees vs radians?
    --
    Only three things are certain; death, taxes, and apocryphal quotations - Ben Franklin.
  6. *Design* flaw by CatoNine · · Score: 3, Insightful

    From TFA: ".... That exposed one of the batteries to direct sunlight, causing it to overheat." So, also a small naviation error or small mechanical failure could already cause this thing to overheat. It should have been constructed more robust.

    1. Re:*Design* flaw by dsanfte · · Score: 2, Interesting

      Some temperature monitors on critical, exposed devices would also help. All you need is the CPU temperature diode present on just about every motherboard sold today. In fact, how about many of them, arranged at strategic positions on the spacecraft hull to give real-time temperature information to the satellite's computer? I guess complicated ideas like these get ignored in favor of simpler solutions, like relying on large chains of command and bureaucratic procedures carried out 30 light-minutes from the point of failure.

      --
      occultae nullus est respectus musicae - originally a Greek proverb
    2. Re:*Design* flaw by Mike1024 · · Score: 4, Informative

      Some temperature monitors on critical, exposed devices would also help. All you need is the CPU temperature diode present on just about every motherboard sold today.

      I looked at the actual report on the NASA website; it said "the spacecraft's power management software misinterpreted the battery over temperature as a battery overcharge and terminated its charge current."

      There was a temperature monitor on the critical, exposed component. Furthermore, the information from the sensor was used in a sensible manner: Li-poly/li-ion batteries can catch fire under some circumstances (see also: sony laptop batteries) so if your li-poly battery overheats while being charged you stop charging it (because you'd rather have a flat battery than an exploded battery).

      After the craft stopped charging the battery it never started charging the battery again. The battery ran down and the craft stopped working.

      The obvious question is: why didn't charging resume after the battery had cooled down? It might not have cooled down (as it was hot in the first place due to being exposed to the sun) or the system might have been waiting for a 'resume charging' command from ground control, which was never received as the high-gain antenna was in the wrong position.

      Personally if I was designing a space craft I'd duplicate the (presumably quite small) onboard computer and radio hardware, because it seems quite common for software/electronics failures to result in loss of communications. Having two processors running different software, each capable of reprogramming the other one if it became broken, would seem like a sensible route to take.

      Just my $0.02.

      --
      "Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
    3. Re:*Design* flaw by dsanfte · · Score: 2, Insightful

      This has been standard procedure for many decades.


      And yet, it failed.
      --
      occultae nullus est respectus musicae - originally a Greek proverb
    4. Re:*Design* flaw by maxume · · Score: 3, Interesting

      They don't get to build the best damn space probe they can build, they get to build the best damn space probe they can build for $X. Thermal management isn't easy; controlling orientation allows them to spend money on the stuff they are interested in, rather than insulation and shielding.

      --
      Nerd rage is the funniest rage.
    5. Re:*Design* flaw by Tablizer · · Score: 2, Interesting

      Personally if I was designing a space craft I'd duplicate the (presumably quite small) onboard computer and radio hardware, because it seems quite common for software/electronics failures to result in loss of communications. Having two processors running different software, each capable of reprogramming the other one if it became broken, would seem like a sensible route to take.

      Or maybe have a small back-up battery in the center of the probe where it cannot be heated by the sun even if the probe gets pointed in the wrong direction. However, this won't necessarily solve the problem of a damaged main battery via sun exposure. Perhaps design the craft so that any wrong orientation is not fatal. However, this cranks up the costs.

      We may have reached a threashold in unmanned exploration where the operations and software is more expensive than building and launching the hardware itself (at least for going to Mars). This may mean that it is actually cheaper to let failures slip through every now and then. For example, it may be cheaper to have 5 probes with a 40% of failure than 2 probes with 10% failure. However, such may result in national embarassment. Optimum science per dollar and national pride may be in conflict here.

      --
      Table-ized A.I.
  7. Re:Bad command or filename by robably · · Score: 5, Funny

    C:\>
    You know, that looks like the emoticon for an egghead with a beard, frowning. Very appropriate.
  8. Give NASA a break by patio11 · · Score: 2, Interesting

    It worked for a decade at a cost of a piddling $220 million, plus $20 million a year in upkeep. At a hair over $40 million a year, thats much, much less wasteful than most NASA missions. (Yeah, I suppose you could consider whether the return was worth it. Heh, who are we kidding -- did YOU get $40 million a year out of those desktop photos? I didn't.)

    I propose that next time NASA spend $150 million on the construction phase, which is just a slush fund for defense contractors anyhow, and then issue the lethal command before launch. Then we'd save a decade worth of upkeep costs and the $65 million launch budget. NASA could even have a $10 million prize going to the person who most creatively identified a possible fatal error, since thats the only fun part of these missions for people who aren't rocket scientists and we wouldn't want to skimp on it.

    --
    Help poke pirates in the eyepatch, arr.
    1. Re:Give NASA a break by Anonymous Coward · · Score: 3, Insightful

      "did YOU get $40 million a year out of those desktop photos?"

      MGS mapped targetted parts of the surface of Mars at much higher resolution than any previous mission. Among other things, it was responsible for finding the gullies that are probably signs of water being expelled recently at the surface. The length of the mission allowed it to detect changes at these sites, suggesting the process is still occurring today.

      What you really seem to be saying is that exploration of Mars by any means is a big waste of money, in which case, if you're going to complain about any specific mission as an example, MGS should be way down the list, because it was comparatively cheap, long-lived, and successful.

    2. Re:Give NASA a break by dreamchaser · · Score: 2, Insightful

      I propose that you get a clue. It's hard to place a value on science like this, but the advancement of knowledge and working towards getting off this rock are both highly valuable fields of endeavor.

      As for your 'proposal'...did you just pull those numbers out of your ass? If anything costs increase over the years due to rising wages and inflation. $220 million was *dirt cheap* by space mission standards.

      We waste far more money on subsidies and entitlements in the US than we spend on science like this.

    3. Re:Give NASA a break by brassman · · Score: 3, Insightful

      > did YOU get $40 million a year out of those desktop photos? I didn't.

      So divide that by 200 million (roughly) to get your share.

      I got two quarters' worth. Heck, you can't get a comic book for fifty cents.

      --
      "Ain't no right way to do a wrong thing."
  9. The actual report by Mike1024 · · Score: 5, Informative

    The preliminary official report is availiable from here. The summary conclusions are:

    * A modification to a spacecraft parameter, intended to update the High Gain Antenna's (HGA) pointing direction used for contingency operations, was mistakenly written to the incorrect spacecraft memory address in June 2006. The incorrect memory load resulted in the following unintended actions:
    ** Disabled the solar array positioning limits.
    ** Corrupted the HGA's pointing direction used during contingency operations.
    * A command sent to MGS on November 2, 2006 caused the solar array to attempt to exceed its hardware constraint, which led the onboard fault protection system to place the spacecraft in a somewhat unusual contingency orientation.
    * The spacecraft contingency orientation with respect to the sun caused one of the batteries to overheat.
    * The spacecraft's power management software misinterpreted the battery over temperature as a battery overcharge and terminated its charge current.
    * The spacecraft could not sufficiently recharge the remaining battery to support the electrical loads on a continuing basis.
    * Spacecraft signals and all functions were determined to be lost within five to six orbits (ten-twelve hours) preventing further attempts to correct the situation.
    * Due to loss of power, the spacecraft is assumed to be lost and all recovery operations ceased on January 28, 2007.

    --
    "Goodness me, how unlike the FBI to abuse the trust of the American public." -- The Onion
    1. Re:The actual report by gfilion · · Score: 2, Informative

      The preliminary official report is availiable from here.

      Thanks for the link. The report is only three pages long and very interesting to read. The cause (quoted below) is really stunning, I wonder what's the probability of this sequence of event to happen.

      The LM team performed a fault analysis to determine the cause of the spacecraft anomaly. An LM spacecraft engineer ultimately determined that the likely cause of the anomaly was an incorrect parameter upload that had occurred 5 months earlier (June 2006). A direct memory command to update the HGA's positioning for contingency operations was mistakenly written to the wrong memory address in the spacecraft's onboard computer. This resulted in the corruption of two independent parameters and had dire consequences for the spacecraft. The first parameter error caused one solar array to be driven against its hard stop, leading the MGS fault-protection system to incorrectly believe it had a stuck gimbal, causing MGS to enter contingency mode. Upon entry into contingency mode, the spacecraft's orientation was such that one of the batteries was directly exposed to the sun. This caused the battery to overheat which in turn gave a false indication of an overcharged battery and led to the premature termination of battery charging on each subsequent orbit. Even though the remaining battery continued to be charged, it was not being charged sufficiently to support the full electrical load, which was normally supported by both batteries. The end result was that both batteries were depleted, probably within 12 hours. The second parameter error caused the HGA to point away from the Earth when the spacecraft was, in fact, properly oriented to communicate to Earth. Communication from the spacecraft to the ground was therefore impossible, and the unsafe thermal and power situation could not be identified by the MGS's ground controllers.
    2. Re:The actual report by gfilion · · Score: 2, Informative

      So hang on... they *overwrote* the memory which contained the contingency operations plan and the hardware limitations data for the solar array? Surely that's bad design, you shouldn't be able to overwrite something like that (Unless the hardware limits plan on changing mid-mission). NASA fault protection modules evidently don't do their job too well :-/

      Actually, they had to correct a previous error by writing directly to memory. I believe that writing directly to memory is not a standard operating procedure. The PDF report linked by the GP states that:

      [...] The HGA parameter was actually updated on the two redundant control systems at two different times. The updates were commanded with slightly different (operator input) precision. This difference in precision, while numerically inconsequential, resulted in an inconsistency between the computer memories. A full memory readout taken at a later date revealed the difference between the two positioning angles, which warranted a correction by the operations team. During the effort to correct the inconsistency, the operations team specified incorrect memory addresses. The incorrect memory addresses caused the command upload to enter data into erroneous memory locations, resulting in the consequences described above.
  10. Impressive by hcdejong · · Score: 4, Interesting

    Not the error itself, but the fact NASA was able to figure out what happened in such detail, when the spacecraft it happened to is not giving any diagnostic information and cannot be examined directly.

  11. wrong parameter? by advocate_one · · Score: 4, Funny

    /sudo shutdown -h now sent instead of /sudo shutdown -r now

    --
    Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
  12. What's in a name.. by owlnation · · Score: 2, Funny

    Admittedly offtopic, but...

    Somehow I find it reassuring that NASA employs someone called "Dolly Perkins". It has that warm cosy 1950's feeling of Golden Age Space Exploration. Now, if only we could get the astronauts named "Buck", "Rock", or "Trent".

  13. Re:Bad command or filename by Dasher42 · · Score: 4, Funny

    *sniff*

    You just made a beautifully appropriate commentary on a common fixture of my childhood. Dude.

  14. Good code Is For Old People by AHuxley · · Score: 2, Informative
    In Capitalist West you send sloppy code to perfect probe.
    In Soviet Russia perfect probe sends lens cap code back to you!


    A wiki link to help with the lens part.
    http://en.wikipedia.org/wiki/Venera_program

    --
    Domestic spying is now "Benign Information Gathering"
  15. More robust == heavier by mangu · · Score: 3, Insightful
    It should have been constructed more robust.


    So, which scientific experiment would you remove in order to put additional heat shielding? No, the thermal shielding and other protection systems are just right for a spacecraft that had to travel a hundred million kilometers.


    What really failed was the ground-based software, that didn't have a good enough thermal model, and the technical support team. Equipment may fail, operators may commit errors, but there should be enough experienced engineers around to do a correct analysis to catch those errors. Downgrading of the engineering team is the true problem here. Look at what happened to Columbia. It blew up on reentry because of a failure that had happened on take-off, was caught on video, but not analyzed correctly.


    NASA isn't alone in these failures, perhaps one could say they set the pace for the rest of the industry. The lack of a good thermal model is typical of a whole generation of engineers used to do everything in Excel. With the current CPUs one has at each desktop, it wouldn't be so hard to do a correct thermal model of the spacecraft, but it would imply in solving a system of partial differential equations in C++, something very few engineers are able to do, even when given an extensive library.

  16. Batteries Overheating by ptelligence · · Score: 2, Funny

    Guess they weren't aware of the recall on those Dell batteries.

  17. Nope, those are the real numbers by patio11 · · Score: 2, Informative

    http://nssdc.gsfc.nasa.gov/database/MasterCatalog? sc=1996-062A

    I realize this was dirt cheap by space mission standards. A laptop encrusted with diamonds which costs $80,000 is dirt cheap by laptop-encrusted-with-diamonds standards. That *doesn't make it worth the money*. I know we waste far more than $40 million a year on many things -- and, logically, every one of them except one can be justified by "We waste more money on another program, don't cut *my* hobby horse!"

    Its interesting that you draw the distinction between subsidies/entitlements and science, since NASA is a fairly naked subsidy directly to defense contractors, who make all of the really expensive bits. I'm all for giving Lockheed Martin money when its required, but lets be honest and get ourselves something which blows up in a suitably impressive manner when we do, OK? Similarly, I might even be persuaded that the US federal government should fund science projects -- great, then *fund science*! Don't blow $160 million just to accelerate a tin can out of the atmosphere to get a few close up pictures of rocks. $160 million could fund an awful lot of real science down here, much of which would produce actual results (or, alternatively, you could fund research gazing into the Clear Blue Sky, which is *still* cheap when you do it somewhere in atmosphere).

    --
    Help poke pirates in the eyepatch, arr.
  18. Better, fast, cheaper - the reality by kilodelta · · Score: 3, Insightful

    NASA has been on this kick of doing quick, reduced cost and inexpensive projects for some time now. They really have no choice since congress will only give them funding for unmanned and low cost missions.

    So occasionally you get the stunning successes, E.G. the Mars rovers Spirit and Opportunity. Considering they were only supposed to last 90 sols and they're somewhere out to 1075 or more sols it means that the Steve Squyers is currently the start of NASA.

    But more likely you get the devastating failures.

    It's really sad that we blow a few billion a month on our little Iraq and Afghanistan ventures yet sciences take a back seat.

  19. Typical multiple-factor catastrophe by mattr · · Score: 4, Interesting

    There are an awful lot of posts here that disparage the people who have built and operated this system. To me it looked very much like the explanation for an aircraft accident. The easy failure modes are all known, so the really hard ones are left. In aircraft accidents, and it seems space accidents now too, a fatal result is generally the result of a number of seemingly disparate factors including system states, environmental state, and human impressions of what is going on.

    In one major aircraft accident I know a lot about, the (Airbus) jet crashed in part because it ended up being a tug of war between a human pilot and a robot autopilot that should have been disengaged, causing and up and down roller coaster ride. There were lots of other distracting things that were maybe wrong or maybe not, but a key part was the difficulty in knowing what state the machine was in.

    It was a similar situation with this accident, it seems, and though the misuse of metric units caused another recent accident it appears that these incidents have elements in common. They are also made more probable it strikes me by funding pressures and also in the way that operating these systems involves radical commands while the systems also lack enough power to be self-aware enough to preserve themselves.

    I am not going to do any more guessing because the people involved can probably figure it out themselves, and it seems that these combined factor accidents at least are not costing human lives, while they are adding to knowledge about how not to make the accident the next time.

    In that regard my hope is that some of the money being spent on Mars can be used to improve autonomous robotic systems to reduce accidents both on Mars and on Earth.